4 Healthcare Data Security Questions to Ask When Choosing an Outside Vendor

The information security capabilities of outside vendors have been painfully put on display through several large data breaches in recent years. 

Take Marriott for example. Starting in 2014, hackers stole data from 500 million Starwood Hotels users. What’s worse, they remained undetected in the brand’s system until 2018. 

The passport numbers, contact information, and personal data from these customers were breached, leaving Marriott with a massive loss in revenue and the departure of millions of previously loyal customers. 

Had this been a healthcare vendor, the implications could have been even more severe. 

But, how do you ensure your 3rd party vendor is diligent about healthcare data security?

Healthcare Data Security Questions You Should be Asking

We recognize that protecting patient data is a top priority. As an outsourcing company, we understand the importance placed on data security and confidentiality. To help you navigate the world of outsourcing within healthcare, we’ve put together a list of the top four questions you should consider when looking at outside vendors to handle your patient data. 

We’ve also included answers that are sure signs that the potential vendor stands for data integrity. 

Ready to work with a vendor that prioritized healthcare data security? 


1. What are the employee training expectations and requirements that I should be looking for when considering offshore vendors to handle my patient data?

Our Answer: 

First, a good vendor will strictly adhere to the standard operating procedures of your organization.

They should also require extensive, continuous training on the latest U.S. Healthcare IT regulations for all healthcare resources. 

For example, the training and verification that we provide to our Vietnam team ensure compliance with Business Associate Agreements (BAAs) and other HIPAA guidelines governing confidentiality and patient health information (PHI). Part of the verification process includes:

  • Extensive background checks 
  • Cybersecurity experience 
  • Anti-phishing expertise 
  • Skillset development consisting of:


2. What are the latest US Healthcare IT Regulations a vendor’s resources should be trained in?

Our Answer:


3. What are ways an outsourced vendor should handle my patient data if their resources aren’t subject to U.S. laws?

Our Answer:

  • Fencing of patient data
  • Sandbox testing
  • Anonymized data sets
  • US-based deployment resources
  • Breach notification process
  • Insurance coverage
  • Protection of PHI/PII

At KMS Technology, we design and build software in conjunction with our customers based on intended use and rarely, if ever, need access to live patient data. 

We leverage years of experience with anonymized synthetic data and test all functionality within sandbox environments using data that has veracity but does not represent actual PHI. 

For implementations where access to PHI is unavoidable, we utilize US-based resources that are trained in and subject to US-HIPAA laws and regulations governing the patient health information and personally identifiable information. 

We also carry insurance specifically designed to address coverage for HIPAA and other confidentiality issues as dictated by law and most BAAs. 

4. What are standard governing laws I should ask the vendor about?

Our Answer:

  • OCR HIPAA privacy
  • Patient data security
  • Anti-breach
  • Breach notification rules
  • Confidentiality
  • Sunshine Act: anti-kickback
  • Stark Law


Ready to talk to an experienced vendor who understands the importance of data integrity?

KMS Technology specializes in serving healthcare and IT software companies who are looking to leave their mark on their industry. If you need support to scale or develop your solution, we are here to help. 


Schedule a Free Consultation

Quickly ramp-up teams and accelerate the delivery of your new software product.